[Open.ogc] CORS Support for services.ogc.noaa.gov

Chi Kang - NOAA Federal chi.y.kang at noaa.gov
Wed Jun 19 18:20:02 UTC 2013 

Explain to me why you think allowing Access-Control-Request-Headers:
x-requested-with would solve this problem?


On Tue, Jun 18, 2013 at 5:33 PM, Tim Haverland - NOAA Federal
<tim.haverland at noaa.gov> wrote:
> OK, I was able to publish my page to our test server, and there's no port
> appended to the origin:
>
> Accept:
> */*
> Accept-Encoding:
> gzip,deflate,sdch
> Accept-Language:
> en-US,en;q=0.8
> Access-Control-Request-Headers:
> origin, x-requested-with
> Access-Control-Request-Method:
> GET
> Cache-Control:
> no-cache
> Connection:
> keep-alive
> Host:
> services.ogc.noaa.gov
> Origin:
> http://www.st-test.nmfs.noaa.gov
> Pragma:
> no-cache
> Referer:
> http://www.st-test.nmfs.noaa.gov/appstech/map-test
> User-Agent:
> Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko)
> Chrome/27.0.1453.110 Safari/537.36
>
>
> Still get the error:
>
> Origin http://www.st-test.nmfs.noaa.gov is not allowed by
> Access-Control-Allow-Origin
>
> WOC, can you allow the header x-requested-with to see if that fixes the
> problem?
>
> Tim
>
>
> On Tue, Jun 18, 2013 at 4:26 PM, Micah Wengren <micah.wengren at noaa.gov>
> wrote:
>>
>> Tim,
>>
>> I found this:
>> http://www.html5rocks.com/en/tutorials/cors/#toc-handling-a-not-so-simple-request
>>
>> It sounds like jQuery or some part of the CMS is trying to ask whether the
>> server will accept a header 'x-requested-with'.  I'm sure that's not
>> required for OpenLayers, but it's being inserted anyway by some part of your
>> site code.  I don't know if that would cause the disallowed origin error
>> message you're seeing if the non-standard header isn't supported or not, but
>> if it is, there must be some way to disable that within the application, or
>> this might get kinda complicated to get working.
>>
>> Either way, are you sure that the port on your server isn't the issue?
>> From doing a little reading, it seems that since you're using a non-standard
>> port, the 'Origin' header your site will be submitting should look like
>> this:
>>
>> Origin: http://triggerfish2.nmfs.noaa.gov:9992
>>
>> It's possible that that might not match the rules in our
>> 'Access-Control-Allow-Origin' setting, if it's only a plain string
>> comparison or something that Apache does.
>>
>> Micah
>>
>>
>>
>> On 6/18/2013 2:41 PM, Tim Haverland - NOAA Federal wrote:
>>
>> I don't know the inner workings of our content management system, so not
>> sure what's sending the x-requested-with header; however, I read that this
>> is pretty common with Ajax requests, especially from jQuery.
>>
>>
>> On Tue, Jun 18, 2013 at 2:22 PM, Micah Wengren <micah.wengren at noaa.gov>
>> wrote:
>>>
>>> Hi open.ogc at list.woc.noaa.gov,
>>>
>>> I'm sending this thread I've been on with Tim back to the email list to
>>> see if we can expedite troubleshooting what the issue is with a CORS request
>>> from Tim's development server to services.ogc.noaa.gov. He's connecting
>>> from:
>>>
>>> http://triggerfish2.nmfs.noaa.gov:9992
>>>
>>> and trying to display one of our services on an OpenLayers map (and do a
>>> GetFeatureInfo request, which leads to the need  for CORS support).
>>>
>>>
>>> I don't really have the answer to his question, anyone at the WOC know
>>> about accepting non-standard headers?
>>>
>>> Tim, do you know why this header is required from your side, and what the
>>> server should be doing with it?
>>>
>>> Thanks,
>>> Micah
>>>
>>> On 6/18/2013 2:05 PM, Tim Haverland - NOAA Federal wrote:
>>>
>>> Yeah, doesn't look like the port is an issue, however, my request is sent
>>> with these headers:
>>>
>>> Access-Control-Request-Headers:
>>> origin, x-requested-with
>>>
>>>
>>> I've read that the server may need to accept "non-standard" headers.
>>> x-requested-with is a non-standard header. Is this accepted on the server
>>> side?
>>>
>>> Tim
>>>
>>>
>>> On Tue, Jun 18, 2013 at 1:35 PM, Tim Haverland - NOAA Federal
>>> <tim.haverland at noaa.gov> wrote:
>>>>
>>>> yes, response header says:
>>>>
>>>> Access-Control-Allow-Origin:
>>>> *.noaa.gov
>>>>
>>>>
>>>>
>>>> On Tue, Jun 18, 2013 at 1:32 PM, Micah Wengren - NOAA Federal
>>>> <micah.wengren at noaa.gov> wrote:
>>>>>
>>>>> Hi Tim,
>>>>>
>>>>> I don't know what bearing ports have on CORS.  Everything from noaa.gov
>>>>> should be allowed though.  If you examine http headers with firebug or
>>>>> something you should be able to see the rule Chi added in the header list.
>>>>> I believe he would have added it for both http and https, but I'd have to
>>>>> check. Not at my machine right now. It's more important for http in this
>>>>> case...
>>>>>
>>>>> Micah
>>>>>
>>>>>
>>>>>
>>>>> On Tuesday, June 18, 2013, Tim Haverland - NOAA Federal
>>>>> <tim.haverland at noaa.gov> wrote:
>>>>> > Micah, is CORS supported on the production version of geoserver? I'm
>>>>> > trying to implement my map in our content management system, and get the
>>>>> > following error:
>>>>> > Origin http://triggerfish2.nmfs.noaa.gov:9992 is not allowed by
>>>>> > Access-Control-Allow-Origin.
>>>>> >
>>>>> > Maybe it's the port that's throwing things off?
>>>>> > Tim
>>>>> >
>>>>> > On Thu, Jun 13, 2013 at 1:27 PM, Micah Wengren - NOAA Federal
>>>>> > <micah.wengren at noaa.gov> wrote:
>>>>> >>
>>>>> >> Hi Tim,
>>>>> >>
>>>>> >> We have *.noaa.gov enabled anyway for CORS support now.  If you can
>>>>> >> copy your openlayers page to your dev server and test it out and let me know
>>>>> >> if it works, that would be great. Whenever you get a chance, no rush.
>>>>> >>
>>>
>>>
>>
>>
>>
>> --
>> Tim Haverland
>> Acting Operations Branch Chief
>> NOAA Fisheries Office of Science and Technology
>> 1315 East-West Highway
>> SSMC3 Rm 12303
>> Silver Spring, MD 20910
>> 301-427-8137
>>
>>
>
>
>
> --
> Tim Haverland
> Acting Operations Branch Chief
> NOAA Fisheries Office of Science and Technology
> 1315 East-West Highway
> SSMC3 Rm 12303
> Silver Spring, MD 20910
> 301-427-8137
>
> _______________________________________________
> Open.ogc mailing list
> Open.ogc at list.woc.noaa.gov
> https://list.woc.noaa.gov/cgi-bin/mailman/listinfo/open.ogc
>



-- 
Chi Y Kang
Principal Engineer
Phone: 301.628.5642
Cell: 240.338.1059

More information about the Open.ogc mailing list